Pix VPN Problem - ISAKMP: malformed payload

Discussion in 'Cisco' started by boxers999, Jan 9, 2008.

  1. boxers999

    boxers999 Guest

    Hi,

    Can anyone help me with a PIX to Firebox vpn?

    Here is my error:

    ISAKMP: reserved not zero on payload 5!
    ISAKMP: malformed payload

    OUTPUT:-

    pixfirewall#
    ISAKMP (0): beginning Main Mode exchange
    crypto_isakmp_process_block:src:62.*.*.*, dest:82.*.*.* spt:500 dpt:
    500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
    ISAKMP: encryption DES-CBC
    ISAKMP: hash SHA
    ISAKMP: auth pre-share
    ISAKMP: life type in seconds
    ISAKMP: life duration (basic) of 8912
    ISAKMP: default group 1
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): SA is doing pre-shared key authentication using id type
    ID_IPV4_ADDR
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:62.*.*.*, dest:82.*.*.* spt:500 dpt:
    500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0): ID payload
    next-payload : 8
    type : 1
    protocol : 17
    port : 500
    length : 8
    ISAKMP (0): Total payload length: 12
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:62.*.*.*, dest:82.*.*.* spt:500 dpt:
    500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): SA has been authenticated

    ISAKMP (0): beginning Quick Mode exchange, M-ID of
    -1641126510:9e2e6592
    return status is IKMP_NO_ERROR
    ISAKMP (0): sending INITIAL_CONTACT notify
    ISAKMP (0): sending NOTIFY message 24578 protocol 1
    VPN Peer: ISAKMP: Added new peer: ip:62.*.*.*/500 Total VPN Peers:1
    VPN Peer: ISAKMP: Peer ip:62.*.*.*/500 Ref cnt incremented to:1 Total
    VPN Peers:1
    crypto_isakmp_process_block:src:62.*.*.*, dest:82.*.*.* spt:500 dpt:
    500
    ISAKMP (0): processing NOTIFY payload 18 protocol 1
    spi 0, message ID = 1449146501
    return status is IKMP_NO_ERR_NO_TRANS
    crypto_isakmp_process_block:src:62.*.*.*, dest:82.*.*.* spt:500 dpt:
    500
    ISAKMP: reserved not zero on payload 5!
    ISAKMP: malformed payload


    CONFIG

    access-list 200 permit ip 192.168.1.0 255.255.255.0 10.1.0.0
    255.255.0.0
    access-list 200 permit ip 10.1.0.0 255.255.0.0 192.168.1.0
    255.255.255.0

    sysopt connection permit-ipsec
    crypto ipsec transform-set pixtransform esp-3des esp-md5-hmac
    crypto map testmap 10 ipsec-isakmp
    crypto map testmap 10 match address 200
    crypto map testmap 10 set peer 62.*.*.*
    crypto map testmap 10 set transform-set pixtransform
    crypto map testmap interface outside
    crypto map partner-map 20 ipsec-isakmp
    crypto map partner-map 20 set security-association lifetime seconds
    86400 kilobytes 536870912
    ! Incomplete
    isakmp enable outside
    isakmp key ******************** address 62.*.*.* netmask
    255.255.255.255
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash sha
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 8912

    Thanks !
     
    boxers999, Jan 9, 2008
    #1
    1. Advertisements

  2. boxers999

    boxers999 Guest

    Thanks, but its sorted now.

    The firebox had a different lifetime for the key. 24 hours and 0kb.
    The pix wont allow 0kb. Pick a value (32000 was mine) and match them
    on both firewalls.
     
    boxers999, Jan 10, 2008
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.